There's an app^W^Wa Working Group for that. <http://tools.ietf.org/wg/dane/>
On Sun, Sep 11, 2011 at 2:44 PM, Mike Jones <m...@mikejones.in> wrote: > On 11 September 2011 16:55, Bjørn Mork <bj...@mork.no> wrote: >> You can rewrite that: Trust is the CA business. Trust has a price. If >> the CA is not trusted, the price increases. >> >> Yes, they may end up out of business because of that price jump, but you >> should not neglect the fact that trust is for sale here. >> > > The CA model is fundamentally flawed in the fact that you have CAs > whose sole "trustworthiness" is the fact that they paid for an audit > (for Microsoft, lower requirements for others), they then issue > intermediate certificates to other companies (many web hosts and other > minor companies have them) whose sole "trustworthiness" is the fact > that they paid for an intermediate certificate, all of those > companies/organisations/people are then considered trustworthy enough > to confirm the identity of my web server despite the fact that none of > them have any connection at all to me or my website. > > There is already a chain of trust down the DNS tree, if that is > compromised then my SSL is already compromised (if they control my > domain, they can "verify" they are me and get a certificate), what > happened to RFC4398 and other such proposals? EV certificates have a > different status and probably still need the CA model, however with > "standard" SSL certificates the only validation done these days is > checking someone has control over the domain. DNSSEC deployment is > advanced enough now to do that automatically at the client. We just > need browsers to start checking for certificates in DNS when making a > HTTPS connection (and if one is found do client side DNSSEC validation > - I don't trust my ISPs DNS servers to validate something like that, > considering they are the ones likely to be intercepting my connections > in the first place!). > > It will take a while to get updated browsers rolled out to enough > users for it do be practical to start using DNS based self-signed > certificated instead of CA-Signed certificates, so why don't any > browsers have support yet? are any of them working on it? > > - Mike > >